2016-06-06 - EK DATA DUMP (NEUTRINO EK, RIG EK)

ASSOCIATED FILES:

• ZIP archive of the pcaps:  2016-06-06-EK-data-dump-pcaps.zip   2.8 MB (2,818,692 bytes)

• 2016-06-06-Rig-EK.pcap   (431,364 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-first-run.pcap   (1,271,688 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-sends-CryptXXX-second-run.pcap   (1,469,813 bytes)

• ZIP archive of the malware and artifacts:  2016-06-06-EK-data-dump-malware-and-artifacts.zip   944.5 kB (944,494 bytes)

• 2016-06-06-Rig-EK-flash-exploit.swf   (15,493 bytes)
• 2016-06-06-Rig-EK-landing-page.txt   (5,188 bytes)
• 2016-06-06-Rig-EK-payload.exe   (311,296 bytes)
• 2016-06-06-page-from-garlocksafety.com-with-injected-pseudoDarkleech-script-first-run.txt   (15,049 bytes)
• 2016-06-06-page-from-garlocksafety.com-with-injected-pseudoDarkleech-script-second-run.txt   (17,535 bytes)
• 2016-06-06-pseudoDarkleech-CryptXXX-decrypt-instructions.bmp   (3,686,454 bytes)
• 2016-06-06-pseudoDarkleech-CryptXXX-decrypt-instructions.html   (14,190 bytes)
• 2016-06-06-pseudoDarkleech-CryptXXX-decrypt-instructions.txt   (1,755 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-flash-exploit-first-run.swf   (89,256 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-flash-exploit-second-run.swf   (89,336 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-landing-page-first-run.txt   (770 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-landing-page-second-run.txt   (758 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-first-run.dll   (396,800 bytes)
• 2016-06-06-pseudoDarkleech-Neutrino-EK-payload-CryptXXX-second-run.dll   (662,528 bytes)

 

NOTES:

• This EK data dump has one Rig EK pcap and two Neutrino EK pcaps.
• In today's examples, the pseudoDarkleech campaign is using Neutrino EK (instead of Angler EK) to deliver CryptXXX ransomware.

SOME HISTORY ON PSEUDO-DARKLEECH AND CRYPTXXX:

• On 2016-03-22, PaloAlto Networks posted a blog that provides background on the pseudoDarkleech campaign (link).
• On 2016-04-16, Proofpoint reported the first sightings of CryptXXX ransomware (link).
• On 2016-04-23, I posted an ISC diary about pseudo-Darkleech causing Angler EK/Bedep/CryptXXX infections (link).
• On 2016-04-28, PaloAlto Networks reported another campaign called "Afraidgate" had switched from Locky ramsomware to delivering CryptXXX (link).
• On 2016-05-09, Proofpoint issued another report on CryptXXX, now at version 2.0 (link).
• On 2016-05-24, BleepingComputer reported CryptXXX was updated to version 3.0 (link) two days before I saw it on 2016-05-26 (link).
• On 2016-05-27, McAfee published a great blog post about deobfuscating injected Darkleech script (link).
• On 2016-06-01, Due to the new decryption instructions, some organizations say version 3 of CryptXXX may actually be "UltraCrypter" (link) and (link).
• On 2016-06-03, Proofpoint published an update about CryptXXX, now at version 3.1 (link).

BACKGROUND ON TODAY'S RIG EK EXAMPLE:

• Today's Rig EK pcap (kicked off by pavtube.com) is from a campaign explained in two diaries at the Internet Storm Center (ISC) located here and here.
• In April 2016, BAE systems did an in-depth write-up on this Rig EK campaign.  A link to the PDF report is here.

 

TRAFFIC

ASSOCIATED DOMAINS:

• www.pavtube.com - GET /public/temp/js/jquery.js - file with injected script
• 67.215.187.94 port 80 - a.topgunn.photography - GET /yjviewforumbgtnb.php - gate provides data to determine Rig EK landing page
• 5.200.55.117 port 80 - gr.toiletrolltalker.com - Rig EK

• 104.238.171.123 port 80 - uesrjjwbk.exiteam.top - Neutrino EK first run
• 45.32.183.118 port 80 - glsmafknv.5issuei.top - Neutrino EK second run
• 188.0.236.7 port 443 - CryptXXX post-infection traffic (custom encoded)

 

 

FINAL NOTES

Once again, here are the associated files:

• ZIP archive of the pcaps:  2016-06-06-EK-data-dump-pcaps.zip   2.8 MB (2,818,692 bytes)
• ZIP archive of the malware and artifacts:  2016-06-06-EK-data-dump-malware-and-artifacts.zip   944.5 kB (944,494 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.